CVE-2024-3570

Name of the Vulnerable Software and Affected Versions anything-llm (affected versions not specified)

Description A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of dangerouslySetInnerHTML. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.